Can we get windows user details in chrome extension? - google-chrome-extension

I am adding a webchat(connected to bot framework) as extension in google chrome. I need to capture windows user details by javascript.

Nope, there's no API that can do it. You're welcome to see the list yourself.
There are 2 ideas that come close:
chrome.identity API can provide you the details of the Google user if the user is signed into Chrome - if you just need some sort of identifier. You'd need "identity" and "identity.email" permissions and would need to call chrome.identity.getProfileUserInfo. Interestingly, that produces no permission warnings.
Native Messaging allows you to create a Windows binary that your extension can talk to. Obviously, a native application can do whatever, including getting the signed-in user details, but that requires users to install another component from outside Web Store. In short: it's a big hammer that's likely not worth it for just this.

Related

Node.JS webapp: Authentication, Create Account, Forgot Password and Change Password

I would like to develop a new web-app in node.js (using express). I am relatively new to node.js world, so I assume there are frameworks that I am not familiar with.
Is there any framework (like Spring for Java) that manages authentication (and save the trouble from the developer)? Or each developer has to write this code over and over again?
Login/Logout is not all. There are other flows:
registration (create account),
forgot-password (and then set new password),
locking/unlocking an account,
change password
and I think I have covered all flows.
I know that each application has its own UI, forms, maybe with its logo, but the flow itself is similar for most applications.
In addition, I know that it is not that hard to implement, but it could be great to have some kind of tool / framework / infrastructure which implements the flows.
Is there such a tool/framework which helps applications' developers and implements these flows?
I've searched this issue but could not find anything.
Thanks!
Long ago I have developed authentication-flows for Java over Spring, and recently I wrote authentication-flows-js.
It is a module that answers most flows - authentication, registration, forgot-password, change password etc., and it is secured enough so applications can use it without the fear that it will be easily hacked.
It is for node.js applications (written in TypeScript) that use express. It is an open source (in GitHub). A release version is on npm, so you can use it as a dependency in your package.json.
In its README (and of course in the npm page) there are detailed explanations for everything and if something is missing - please let me know. An article will be published soon (I will add a link as a comment).
You can find here an example for a hosting application.
NOTE: I have heard comments like "It's not so difficult to implement". True.
But you have to make sure you take care of all cases. For example,
what happens if a user tries to create account that is already exists?
what happens if a user tries to create account that is already exists
but inactive? what about the policy of the password? (too long/too
short/how many capital etc.) what about sending the email with the
activation link to the user? how you create this link? should you
encrypt it? what about the controller that will receive the click on
the link and activate the account? and more...

How to enable other people's Android phone to use the test version of your unreleased Google Action?

I am developing a Google Action for Google Assistant and it is not yet a state where I can release. Even so I want it to be available for some tester, and in a near future, my client.
The simulator with the "test" is somewhat limited at auth request, name recognition (since it will only knows my action) and experience (to show my client), so I prefer not to depend on it for this case.
I found it is only possible to interact with a test version of an action if the project owner's account is logged in as a Google account in the phone where you want to call the action. Is it correct? Or there is another way?
I even tried adding my wife's Google account as a viewer to the project, but I am unable to call my action from her phone.
You can add people as a viewer to the project. Before those users can call your action on any of their devices, they will need to use the test console at https://console.actions.google.com/ once, this will enable testing on their device. After that they will be able to interact with your action on their devices.
Do note, the time in which the action is available on their account is limited by a time period (about a couple of months). If they cant access the action any more after a couple of months, just repeat the above step to reactivate testing for their account.
Update
One thing that you could consider in the two approached posted by #Prisoner and me is if your testers need to test on just a device or need access to the console as well. Using the approach from #Prisoner will allow your users to test on devices. The above approach will also allow testers to use the console at https://console.actions.google.com/.
In addition to #Jordi's answer, you can also do an Alpha Release of your Action. This lets you permit up to 20 additional accounts to the released version
Once you permit them using the console, you will send them the opt-in URL, which they should visit on a mobile device with that account. Once they have opted into the Alpha, they can activate it using the regular trigger phrase.

How to detect the malware app

I am a developer which working on security related area.Recently I
met a little problem. If I got a app such as android .apk or IOS .ipa.
How can I check whether it has malicious actions?
The first thought came to my mind is to check its manifest. To see
which kind of permission it has requested. But this general method can
not detect some actions such as record the screen snapshot or record
user tap position on screen.
Then I switched to search how app store and google play check the
app which submitted by developers. Turns out that they first check the
certificate or signature of the app to make sure it has been published
by trusted organization. Then statically check the system permission
that the app requested.
I guess there must be some in-depth detection method or theory
which used by google and apple to make sure their app is safe to
download. Can anyone provide me some useful information or website
link that I can learn from?
Thank you.

Privacy Policy URL - What if I use it for the owner's website only?

So, apparently I need to provide a Privacy Policy URL for my Instagram application.
The only reason I'm using this application, is for a website I built for a client of mine. The client wanted an automatic integration for her Instagram, so I went through the whole Instagram API hassle.
Now, the website is ready for production, so I wanted to get my app out of sandbox mode, but it looks like I need this Privacy Policy URL.
What's the best way to go about this?
Put a Privacy Policy page up on their website (really any website you can link to) and use that link. It can be a static HTML page, as long as you can link to it.
Instagram won't let you take an application like this out of Sandbox, btw. Your use case is not an approved use case. From Instagram's Developer Documentation under Invalid Use Cases:
One-off Projects. If you are an agency building websites or other integrations, note that we don't grant permissions to clients created for one-off projects. If you are interested in building a product, platform, or widget that will be used as a service across multiple projects, then you may submit a single client_id that you can use across multiple projects.
You can (probably) still achieve the outcome you're looking for but you will need to go back to the drawing board and rethink your application's use case before getting out of the Sandbox. I know some developers who really just don't understand (or care to understand) the policies and never make it out of Sandbox. It's a shame because they can read the technical portions of the documentation so easily but just can't/don't read/understand the more critical parts (like the Invalid Use Cases section).

Very simple user validation

I'm making an app and I plan to have some cloud happening with it, but I do not want to create a user data base and have the users need to remember their username and password.
Since it will be distributed through the chrome app store it's basically guaranteed that the user will have a google account. All I want to do is:
Get the user's email through the google account stuff. If I get it through there, well then their email is all the authentication I need to get that user's data.
If I end up putting the application on something other than chrome browser, I'll just have the user use their email to request a validation link, and then I'll send them a validation code for that account, they put the validation code into the application, it takes that as a verified user, so that's secure and easy as well.
EDIT: I'm looking into this. So far I have:
OAuth 2
Google API
But I have a problem that I don't know what to set as my javascript origins in the Google API and there isn't too much info on this abroad. If anyone can tell me what javascript origins I need to set for a chrome extension to access google api it would be a great help.
PS: Thanks for down vote, this is why I love resorting to stack exchange.
Hmmm, I think the only reason this was voted down is the fact that this question may be been asked somewhere on the site already (but I'll help you and give give a 1up).
So what you are wanting to use the Google OpenID. You will have to register your application with Google so they can provide OAuth2 tokens for you application. I have not done this with Google but with other services and it is pretty easy, just search around.
In terms of obtaining OAuth2 for your application in the chrome extension - this can be a pain since the extension is sandboxed and Google's example uses OAuth not OAuth2.
Here is solution I host on GitHub for this - I also use this in my extension GitHub Repositories:
https://github.com/jjNford/oauth2-chrome-extension
Hope this helps in some way. Don't get discourages with StackOverflow, it is a great resource with many great contributors.
Good luck!
I had to up vote you too as I'm tracking down a related issue so here is what I've found that may help.
According to these directions - http://code.google.com/p/google-api-javascript-client/wiki/Authentication - "In the "Authorized JavaScript Origins" box, enter the protocol and domain for your site." This should be the protocol (http:// or https://) followed by any optional subdomain followed by your domain name and no trailing slash. Nothing after the domain name.
This prevents certain kind of security attacks, see: http://en.wikipedia.org/wiki/Same_origin_policy.
There are some related questions here that I found that may help:
Problems with Google Picker API and selecting Google Drive items and google apis console 'Javascript origins'.
Now with all of that said, I am still trying to track down what values to put in there for one of my sites hosted as a Google Site, as none of the obvious values are working for me. So there may be some subtlety there that I have missed in this explanation.

Resources